| Absolute File Name: | /home/opencoverage/opencoverage/guest-scripts/libressl/src/ssl/s3_cbc.c |
| Source code | Switch to Preprocessed file |
| Line | Source | Count | ||||||
|---|---|---|---|---|---|---|---|---|
| 1 | /* $OpenBSD: s3_cbc.c,v 1.17 2018/09/08 14:39:41 jsing Exp $ */ | - | ||||||
| 2 | /* ==================================================================== | - | ||||||
| 3 | * Copyright (c) 2012 The OpenSSL Project. All rights reserved. | - | ||||||
| 4 | * | - | ||||||
| 5 | * Redistribution and use in source and binary forms, with or without | - | ||||||
| 6 | * modification, are permitted provided that the following conditions | - | ||||||
| 7 | * are met: | - | ||||||
| 8 | * | - | ||||||
| 9 | * 1. Redistributions of source code must retain the above copyright | - | ||||||
| 10 | * notice, this list of conditions and the following disclaimer. | - | ||||||
| 11 | * | - | ||||||
| 12 | * 2. Redistributions in binary form must reproduce the above copyright | - | ||||||
| 13 | * notice, this list of conditions and the following disclaimer in | - | ||||||
| 14 | * the documentation and/or other materials provided with the | - | ||||||
| 15 | * distribution. | - | ||||||
| 16 | * | - | ||||||
| 17 | * 3. All advertising materials mentioning features or use of this | - | ||||||
| 18 | * software must display the following acknowledgment: | - | ||||||
| 19 | * "This product includes software developed by the OpenSSL Project | - | ||||||
| 20 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | - | ||||||
| 21 | * | - | ||||||
| 22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | - | ||||||
| 23 | * endorse or promote products derived from this software without | - | ||||||
| 24 | * prior written permission. For written permission, please contact | - | ||||||
| 25 | * openssl-core@openssl.org. | - | ||||||
| 26 | * | - | ||||||
| 27 | * 5. Products derived from this software may not be called "OpenSSL" | - | ||||||
| 28 | * nor may "OpenSSL" appear in their names without prior written | - | ||||||
| 29 | * permission of the OpenSSL Project. | - | ||||||
| 30 | * | - | ||||||
| 31 | * 6. Redistributions of any form whatsoever must retain the following | - | ||||||
| 32 | * acknowledgment: | - | ||||||
| 33 | * "This product includes software developed by the OpenSSL Project | - | ||||||
| 34 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | - | ||||||
| 35 | * | - | ||||||
| 36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | - | ||||||
| 37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | - | ||||||
| 38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | - | ||||||
| 39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | - | ||||||
| 40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | - | ||||||
| 41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | - | ||||||
| 42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | - | ||||||
| 43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | - | ||||||
| 44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | - | ||||||
| 45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | - | ||||||
| 46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | - | ||||||
| 47 | * OF THE POSSIBILITY OF SUCH DAMAGE. | - | ||||||
| 48 | * ==================================================================== | - | ||||||
| 49 | * | - | ||||||
| 50 | * This product includes cryptographic software written by Eric Young | - | ||||||
| 51 | * (eay@cryptsoft.com). This product includes software written by Tim | - | ||||||
| 52 | * Hudson (tjh@cryptsoft.com). | - | ||||||
| 53 | * | - | ||||||
| 54 | */ | - | ||||||
| 55 | - | |||||||
| 56 | #include "ssl_locl.h" | - | ||||||
| 57 | - | |||||||
| 58 | #include <openssl/md5.h> | - | ||||||
| 59 | #include <openssl/sha.h> | - | ||||||
| 60 | - | |||||||
| 61 | /* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length | - | ||||||
| 62 | * field. (SHA-384/512 have 128-bit length.) */ | - | ||||||
| 63 | #define MAX_HASH_BIT_COUNT_BYTES 16 | - | ||||||
| 64 | - | |||||||
| 65 | /* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support. | - | ||||||
| 66 | * Currently SHA-384/512 has a 128-byte block size and that's the largest | - | ||||||
| 67 | * supported by TLS.) */ | - | ||||||
| 68 | #define MAX_HASH_BLOCK_SIZE 128 | - | ||||||
| 69 | - | |||||||
| 70 | /* Some utility functions are needed: | - | ||||||
| 71 | * | - | ||||||
| 72 | * These macros return the given value with the MSB copied to all the other | - | ||||||
| 73 | * bits. They use the fact that arithmetic shift shifts-in the sign bit. | - | ||||||
| 74 | * However, this is not ensured by the C standard so you may need to replace | - | ||||||
| 75 | * them with something else on odd CPUs. */ | - | ||||||
| 76 | #define DUPLICATE_MSB_TO_ALL(x) ((unsigned)((int)(x) >> (sizeof(int) * 8 - 1))) | - | ||||||
| 77 | #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) | - | ||||||
| 78 | - | |||||||
| 79 | /* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */ | - | ||||||
| 80 | static unsigned | - | ||||||
| 81 | constant_time_lt(unsigned a, unsigned b) | - | ||||||
| 82 | { | - | ||||||
| 83 | a -= b; | - | ||||||
| 84 | return DUPLICATE_MSB_TO_ALL(a); executed 29976 times by 1 test: return ((unsigned)((int)(a) >> (sizeof(int) * 8 - 1)));Executed by:
| 29976 | ||||||
| 85 | } | - | ||||||
| 86 | - | |||||||
| 87 | /* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */ | - | ||||||
| 88 | static unsigned | - | ||||||
| 89 | constant_time_ge(unsigned a, unsigned b) | - | ||||||
| 90 | { | - | ||||||
| 91 | a -= b; | - | ||||||
| 92 | return DUPLICATE_MSB_TO_ALL(~a); executed 243952 times by 1 test: return ((unsigned)((int)(~a) >> (sizeof(int) * 8 - 1)));Executed by:
| 243952 | ||||||
| 93 | } | - | ||||||
| 94 | - | |||||||
| 95 | /* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ | - | ||||||
| 96 | static unsigned char | - | ||||||
| 97 | constant_time_eq_8(unsigned a, unsigned b) | - | ||||||
| 98 | { | - | ||||||
| 99 | unsigned c = a ^ b; | - | ||||||
| 100 | c--; | - | ||||||
| 101 | return DUPLICATE_MSB_TO_ALL_8(c); executed 2576 times by 1 test: return ((unsigned char)(((unsigned)((int)(c) >> (sizeof(int) * 8 - 1)))));Executed by:
| 2576 | ||||||
| 102 | } | - | ||||||
| 103 | - | |||||||
| 104 | /* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC | - | ||||||
| 105 | * record in |rec| in constant time and returns 1 if the padding is valid and | - | ||||||
| 106 | * -1 otherwise. It also removes any explicit IV from the start of the record | - | ||||||
| 107 | * without leaking any timing about whether there was enough space after the | - | ||||||
| 108 | * padding was removed. | - | ||||||
| 109 | * | - | ||||||
| 110 | * block_size: the block size of the cipher used to encrypt the record. | - | ||||||
| 111 | * returns: | - | ||||||
| 112 | * 0: (in non-constant time) if the record is publicly invalid. | - | ||||||
| 113 | * 1: if the padding was valid | - | ||||||
| 114 | * -1: otherwise. */ | - | ||||||
| 115 | int | - | ||||||
| 116 | tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, | - | ||||||
| 117 | unsigned mac_size) | - | ||||||
| 118 | { | - | ||||||
| 119 | unsigned padding_length, good, to_check, i; | - | ||||||
| 120 | const unsigned overhead = 1 /* padding length byte */ + mac_size; | - | ||||||
| 121 | - | |||||||
| 122 | /* Check if version requires explicit IV */ | - | ||||||
| 123 | if (SSL_USE_EXPLICIT_IV(s)) {
| 76-108 | ||||||
| 124 | /* These lengths are all public so we can test them in | - | ||||||
| 125 | * non-constant time. | - | ||||||
| 126 | */ | - | ||||||
| 127 | if (overhead + block_size > rec->length)
| 0-76 | ||||||
| 128 | return 0; never executed: return 0; | 0 | ||||||
| 129 | /* We can now safely skip explicit IV */ | - | ||||||
| 130 | rec->data += block_size; | - | ||||||
| 131 | rec->input += block_size; | - | ||||||
| 132 | rec->length -= block_size; | - | ||||||
| 133 | } else if (overhead > rec->length) executed 76 times by 1 test: end of blockExecuted by:
| 0-108 | ||||||
| 134 | return 0; never executed: return 0; | 0 | ||||||
| 135 | - | |||||||
| 136 | padding_length = rec->data[rec->length - 1]; | - | ||||||
| 137 | - | |||||||
| 138 | good = constant_time_ge(rec->length, overhead + padding_length); | - | ||||||
| 139 | /* The padding consists of a length byte at the end of the record and | - | ||||||
| 140 | * then that many bytes of padding, all with the same value as the | - | ||||||
| 141 | * length byte. Thus, with the length byte included, there are i+1 | - | ||||||
| 142 | * bytes of padding. | - | ||||||
| 143 | * | - | ||||||
| 144 | * We can't check just |padding_length+1| bytes because that leaks | - | ||||||
| 145 | * decrypted information. Therefore we always have to check the maximum | - | ||||||
| 146 | * amount of padding possible. (Again, the length of the record is | - | ||||||
| 147 | * public information so we can use it.) */ | - | ||||||
| 148 | to_check = 255; /* maximum amount of padding. */ | - | ||||||
| 149 | if (to_check > rec->length - 1)
| 74-110 | ||||||
| 150 | to_check = rec->length - 1; executed 110 times by 1 test: to_check = rec->length - 1;Executed by:
| 110 | ||||||
| 151 | - | |||||||
| 152 | for (i = 0; i < to_check; i++) {
| 184-23816 | ||||||
| 153 | unsigned char mask = constant_time_ge(padding_length, i); | - | ||||||
| 154 | unsigned char b = rec->data[rec->length - 1 - i]; | - | ||||||
| 155 | /* The final |padding_length+1| bytes should all have the value | - | ||||||
| 156 | * |padding_length|. Therefore the XOR should be zero. */ | - | ||||||
| 157 | good &= ~(mask&(padding_length ^ b)); | - | ||||||
| 158 | } executed 23816 times by 1 test: end of blockExecuted by:
| 23816 | ||||||
| 159 | - | |||||||
| 160 | /* If any of the final |padding_length+1| bytes had the wrong value, | - | ||||||
| 161 | * one or more of the lower eight bits of |good| will be cleared. We | - | ||||||
| 162 | * AND the bottom 8 bits together and duplicate the result to all the | - | ||||||
| 163 | * bits. */ | - | ||||||
| 164 | good &= good >> 4; | - | ||||||
| 165 | good &= good >> 2; | - | ||||||
| 166 | good &= good >> 1; | - | ||||||
| 167 | good <<= sizeof(good)*8 - 1; | - | ||||||
| 168 | good = DUPLICATE_MSB_TO_ALL(good); | - | ||||||
| 169 | - | |||||||
| 170 | padding_length = good & (padding_length + 1); | - | ||||||
| 171 | rec->length -= padding_length; | - | ||||||
| 172 | rec->type |= padding_length<<8; /* kludge: pass padding length */ | - | ||||||
| 173 | - | |||||||
| 174 | return (int)((good & 1) | (~good & -1)); executed 184 times by 1 test: return (int)((good & 1) | (~good & -1));Executed by:
| 184 | ||||||
| 175 | } | - | ||||||
| 176 | - | |||||||
| 177 | /* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in | - | ||||||
| 178 | * constant time (independent of the concrete value of rec->length, which may | - | ||||||
| 179 | * vary within a 256-byte window). | - | ||||||
| 180 | * | - | ||||||
| 181 | * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to | - | ||||||
| 182 | * this function. | - | ||||||
| 183 | * | - | ||||||
| 184 | * On entry: | - | ||||||
| 185 | * rec->orig_len >= md_size | - | ||||||
| 186 | * md_size <= EVP_MAX_MD_SIZE | - | ||||||
| 187 | * | - | ||||||
| 188 | * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with | - | ||||||
| 189 | * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into | - | ||||||
| 190 | * a single or pair of cache-lines, then the variable memory accesses don't | - | ||||||
| 191 | * actually affect the timing. CPUs with smaller cache-lines [if any] are | - | ||||||
| 192 | * not multi-core and are not considered vulnerable to cache-timing attacks. | - | ||||||
| 193 | */ | - | ||||||
| 194 | #define CBC_MAC_ROTATE_IN_PLACE | - | ||||||
| 195 | - | |||||||
| 196 | void | - | ||||||
| 197 | ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, | - | ||||||
| 198 | unsigned md_size, unsigned orig_len) | - | ||||||
| 199 | { | - | ||||||
| 200 | #if defined(CBC_MAC_ROTATE_IN_PLACE) | - | ||||||
| 201 | unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; | - | ||||||
| 202 | unsigned char *rotated_mac; | - | ||||||
| 203 | #else | - | ||||||
| 204 | unsigned char rotated_mac[EVP_MAX_MD_SIZE]; | - | ||||||
| 205 | #endif | - | ||||||
| 206 | - | |||||||
| 207 | /* mac_end is the index of |rec->data| just after the end of the MAC. */ | - | ||||||
| 208 | unsigned mac_end = rec->length; | - | ||||||
| 209 | unsigned mac_start = mac_end - md_size; | - | ||||||
| 210 | /* scan_start contains the number of bytes that we can ignore because | - | ||||||
| 211 | * the MAC's position can only vary by 255 bytes. */ | - | ||||||
| 212 | unsigned scan_start = 0; | - | ||||||
| 213 | unsigned i, j; | - | ||||||
| 214 | unsigned div_spoiler; | - | ||||||
| 215 | unsigned rotate_offset; | - | ||||||
| 216 | - | |||||||
| 217 | OPENSSL_assert(orig_len >= md_size); | - | ||||||
| 218 | OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); | - | ||||||
| 219 | - | |||||||
| 220 | #if defined(CBC_MAC_ROTATE_IN_PLACE) | - | ||||||
| 221 | rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf)&63); | - | ||||||
| 222 | #endif | - | ||||||
| 223 | - | |||||||
| 224 | /* This information is public so it's safe to branch based on it. */ | - | ||||||
| 225 | if (orig_len > md_size + 255 + 1)
| 74-110 | ||||||
| 226 | scan_start = orig_len - (md_size + 255 + 1); executed 74 times by 1 test: scan_start = orig_len - (md_size + 255 + 1);Executed by:
| 74 | ||||||
| 227 | /* div_spoiler contains a multiple of md_size that is used to cause the | - | ||||||
| 228 | * modulo operation to be constant time. Without this, the time varies | - | ||||||
| 229 | * based on the amount of padding when running on Intel chips at least. | - | ||||||
| 230 | * | - | ||||||
| 231 | * The aim of right-shifting md_size is so that the compiler doesn't | - | ||||||
| 232 | * figure out that it can remove div_spoiler as that would require it | - | ||||||
| 233 | * to prove that md_size is always even, which I hope is beyond it. */ | - | ||||||
| 234 | div_spoiler = md_size >> 1; | - | ||||||
| 235 | div_spoiler <<= (sizeof(div_spoiler) - 1) * 8; | - | ||||||
| 236 | rotate_offset = (div_spoiler + mac_start - scan_start) % md_size; | - | ||||||
| 237 | - | |||||||
| 238 | memset(rotated_mac, 0, md_size); | - | ||||||
| 239 | for (i = scan_start, j = 0; i < orig_len; i++) {
| 184-25752 | ||||||
| 240 | unsigned char mac_started = constant_time_ge(i, mac_start); | - | ||||||
| 241 | unsigned char mac_ended = constant_time_ge(i, mac_end); | - | ||||||
| 242 | unsigned char b = rec->data[i]; | - | ||||||
| 243 | rotated_mac[j++] |= b & mac_started & ~mac_ended; | - | ||||||
| 244 | j &= constant_time_lt(j, md_size); | - | ||||||
| 245 | } executed 25752 times by 1 test: end of blockExecuted by:
| 25752 | ||||||
| 246 | - | |||||||
| 247 | /* Now rotate the MAC */ | - | ||||||
| 248 | #if defined(CBC_MAC_ROTATE_IN_PLACE) | - | ||||||
| 249 | j = 0; | - | ||||||
| 250 | for (i = 0; i < md_size; i++) {
| 184-4224 | ||||||
| 251 | /* in case cache-line is 32 bytes, touch second line */ | - | ||||||
| 252 | ((volatile unsigned char *)rotated_mac)[rotate_offset^32]; | - | ||||||
| 253 | out[j++] = rotated_mac[rotate_offset++]; | - | ||||||
| 254 | rotate_offset &= constant_time_lt(rotate_offset, md_size); | - | ||||||
| 255 | } executed 4224 times by 1 test: end of blockExecuted by:
| 4224 | ||||||
| 256 | #else | - | ||||||
| 257 | memset(out, 0, md_size); | - | ||||||
| 258 | rotate_offset = md_size - rotate_offset; | - | ||||||
| 259 | rotate_offset &= constant_time_lt(rotate_offset, md_size); | - | ||||||
| 260 | for (i = 0; i < md_size; i++) { | - | ||||||
| 261 | for (j = 0; j < md_size; j++) | - | ||||||
| 262 | out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset); | - | ||||||
| 263 | rotate_offset++; | - | ||||||
| 264 | rotate_offset &= constant_time_lt(rotate_offset, md_size); | - | ||||||
| 265 | } | - | ||||||
| 266 | #endif | - | ||||||
| 267 | } executed 184 times by 1 test: end of blockExecuted by:
| 184 | ||||||
| 268 | - | |||||||
| 269 | /* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in | - | ||||||
| 270 | * little-endian order. The value of p is advanced by four. */ | - | ||||||
| 271 | #define u32toLE(n, p) \ | - | ||||||
| 272 | (*((p)++)=(unsigned char)(n), \ | - | ||||||
| 273 | *((p)++)=(unsigned char)(n>>8), \ | - | ||||||
| 274 | *((p)++)=(unsigned char)(n>>16), \ | - | ||||||
| 275 | *((p)++)=(unsigned char)(n>>24)) | - | ||||||
| 276 | - | |||||||
| 277 | /* These functions serialize the state of a hash and thus perform the standard | - | ||||||
| 278 | * "final" operation without adding the padding and length that such a function | - | ||||||
| 279 | * typically does. */ | - | ||||||
| 280 | static void | - | ||||||
| 281 | tls1_md5_final_raw(void* ctx, unsigned char *md_out) | - | ||||||
| 282 | { | - | ||||||
| 283 | MD5_CTX *md5 = ctx; | - | ||||||
| 284 | u32toLE(md5->A, md_out); | - | ||||||
| 285 | u32toLE(md5->B, md_out); | - | ||||||
| 286 | u32toLE(md5->C, md_out); | - | ||||||
| 287 | u32toLE(md5->D, md_out); | - | ||||||
| 288 | } never executed: end of block | 0 | ||||||
| 289 | - | |||||||
| 290 | static void | - | ||||||
| 291 | tls1_sha1_final_raw(void* ctx, unsigned char *md_out) | - | ||||||
| 292 | { | - | ||||||
| 293 | SHA_CTX *sha1 = ctx; | - | ||||||
| 294 | l2n(sha1->h0, md_out); | - | ||||||
| 295 | l2n(sha1->h1, md_out); | - | ||||||
| 296 | l2n(sha1->h2, md_out); | - | ||||||
| 297 | l2n(sha1->h3, md_out); | - | ||||||
| 298 | l2n(sha1->h4, md_out); | - | ||||||
| 299 | } executed 1008 times by 1 test: end of blockExecuted by:
| 1008 | ||||||
| 300 | - | |||||||
| 301 | static void | - | ||||||
| 302 | tls1_sha256_final_raw(void* ctx, unsigned char *md_out) | - | ||||||
| 303 | { | - | ||||||
| 304 | SHA256_CTX *sha256 = ctx; | - | ||||||
| 305 | unsigned i; | - | ||||||
| 306 | - | |||||||
| 307 | for (i = 0; i < 8; i++) {
| 252-2016 | ||||||
| 308 | l2n(sha256->h[i], md_out); | - | ||||||
| 309 | } executed 2016 times by 1 test: end of blockExecuted by:
| 2016 | ||||||
| 310 | } executed 252 times by 1 test: end of blockExecuted by:
| 252 | ||||||
| 311 | - | |||||||
| 312 | static void | - | ||||||
| 313 | tls1_sha512_final_raw(void* ctx, unsigned char *md_out) | - | ||||||
| 314 | { | - | ||||||
| 315 | SHA512_CTX *sha512 = ctx; | - | ||||||
| 316 | unsigned i; | - | ||||||
| 317 | - | |||||||
| 318 | for (i = 0; i < 8; i++) {
| 28-224 | ||||||
| 319 | l2n8(sha512->h[i], md_out); | - | ||||||
| 320 | } executed 224 times by 1 test: end of blockExecuted by:
| 224 | ||||||
| 321 | } executed 28 times by 1 test: end of blockExecuted by:
| 28 | ||||||
| 322 | - | |||||||
| 323 | /* Largest hash context ever used by the functions above. */ | - | ||||||
| 324 | #define LARGEST_DIGEST_CTX SHA512_CTX | - | ||||||
| 325 | - | |||||||
| 326 | /* Type giving the alignment needed by the above */ | - | ||||||
| 327 | #define LARGEST_DIGEST_CTX_ALIGNMENT SHA_LONG64 | - | ||||||
| 328 | - | |||||||
| 329 | /* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function | - | ||||||
| 330 | * which ssl3_cbc_digest_record supports. */ | - | ||||||
| 331 | char | - | ||||||
| 332 | ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) | - | ||||||
| 333 | { | - | ||||||
| 334 | switch (EVP_MD_CTX_type(ctx)) { | - | ||||||
| 335 | case NID_md5: never executed: case 4: | 0 | ||||||
| 336 | case NID_sha1: executed 144 times by 1 test: case 64:Executed by:
| 144 | ||||||
| 337 | case NID_sha224: never executed: case 675: | 0 | ||||||
| 338 | case NID_sha256: executed 36 times by 1 test: case 672:Executed by:
| 36 | ||||||
| 339 | case NID_sha384: executed 4 times by 1 test: case 673:Executed by:
| 4 | ||||||
| 340 | case NID_sha512: never executed: case 674: | 0 | ||||||
| 341 | return 1; executed 184 times by 1 test: return 1;Executed by:
| 184 | ||||||
| 342 | default: never executed: default: | 0 | ||||||
| 343 | return 0; never executed: return 0; | 0 | ||||||
| 344 | } | - | ||||||
| 345 | } | - | ||||||
| 346 | - | |||||||
| 347 | /* ssl3_cbc_digest_record computes the MAC of a decrypted, padded TLS | - | ||||||
| 348 | * record. | - | ||||||
| 349 | * | - | ||||||
| 350 | * ctx: the EVP_MD_CTX from which we take the hash function. | - | ||||||
| 351 | * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX. | - | ||||||
| 352 | * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written. | - | ||||||
| 353 | * md_out_size: if non-NULL, the number of output bytes is written here. | - | ||||||
| 354 | * header: the 13-byte, TLS record header. | - | ||||||
| 355 | * data: the record data itself, less any preceeding explicit IV. | - | ||||||
| 356 | * data_plus_mac_size: the secret, reported length of the data and MAC | - | ||||||
| 357 | * once the padding has been removed. | - | ||||||
| 358 | * data_plus_mac_plus_padding_size: the public length of the whole | - | ||||||
| 359 | * record, including padding. | - | ||||||
| 360 | * | - | ||||||
| 361 | * On entry: by virtue of having been through one of the remove_padding | - | ||||||
| 362 | * functions, above, we know that data_plus_mac_size is large enough to contain | - | ||||||
| 363 | * a padding byte and MAC. (If the padding was invalid, it might contain the | - | ||||||
| 364 | * padding too. ) | - | ||||||
| 365 | */ | - | ||||||
| 366 | int | - | ||||||
| 367 | ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, | - | ||||||
| 368 | size_t* md_out_size, const unsigned char header[13], | - | ||||||
| 369 | const unsigned char *data, size_t data_plus_mac_size, | - | ||||||
| 370 | size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, | - | ||||||
| 371 | unsigned mac_secret_length) | - | ||||||
| 372 | { | - | ||||||
| 373 | union { | - | ||||||
| 374 | /* | - | ||||||
| 375 | * Alignment here is to allow this to be cast as SHA512_CTX | - | ||||||
| 376 | * without losing alignment required by the 64-bit SHA_LONG64 | - | ||||||
| 377 | * integer it contains. | - | ||||||
| 378 | */ | - | ||||||
| 379 | LARGEST_DIGEST_CTX_ALIGNMENT align; | - | ||||||
| 380 | unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; | - | ||||||
| 381 | } md_state; | - | ||||||
| 382 | void (*md_final_raw)(void *ctx, unsigned char *md_out); | - | ||||||
| 383 | void (*md_transform)(void *ctx, const unsigned char *block); | - | ||||||
| 384 | unsigned md_size, md_block_size = 64; | - | ||||||
| 385 | unsigned header_length, variance_blocks, | - | ||||||
| 386 | len, max_mac_bytes, num_blocks, | - | ||||||
| 387 | num_starting_blocks, k, mac_end_offset, c, index_a, index_b; | - | ||||||
| 388 | unsigned int bits; /* at most 18 bits */ | - | ||||||
| 389 | unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; | - | ||||||
| 390 | /* hmac_pad is the masked HMAC key. */ | - | ||||||
| 391 | unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; | - | ||||||
| 392 | unsigned char first_block[MAX_HASH_BLOCK_SIZE]; | - | ||||||
| 393 | unsigned char mac_out[EVP_MAX_MD_SIZE]; | - | ||||||
| 394 | unsigned i, j, md_out_size_u; | - | ||||||
| 395 | EVP_MD_CTX md_ctx; | - | ||||||
| 396 | /* mdLengthSize is the number of bytes in the length field that terminates | - | ||||||
| 397 | * the hash. */ | - | ||||||
| 398 | unsigned md_length_size = 8; | - | ||||||
| 399 | char length_is_big_endian = 1; | - | ||||||
| 400 | - | |||||||
| 401 | /* This is a, hopefully redundant, check that allows us to forget about | - | ||||||
| 402 | * many possible overflows later in this function. */ | - | ||||||
| 403 | OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024); | - | ||||||
| 404 | - | |||||||
| 405 | switch (EVP_MD_CTX_type(ctx)) { | - | ||||||
| 406 | case NID_md5: never executed: case 4: | 0 | ||||||
| 407 | MD5_Init((MD5_CTX*)md_state.c); | - | ||||||
| 408 | md_final_raw = tls1_md5_final_raw; | - | ||||||
| 409 | md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform; | - | ||||||
| 410 | md_size = 16; | - | ||||||
| 411 | length_is_big_endian = 0; | - | ||||||
| 412 | break; never executed: break; | 0 | ||||||
| 413 | case NID_sha1: executed 144 times by 1 test: case 64:Executed by:
| 144 | ||||||
| 414 | SHA1_Init((SHA_CTX*)md_state.c); | - | ||||||
| 415 | md_final_raw = tls1_sha1_final_raw; | - | ||||||
| 416 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform; | - | ||||||
| 417 | md_size = 20; | - | ||||||
| 418 | break; executed 144 times by 1 test: break;Executed by:
| 144 | ||||||
| 419 | case NID_sha224: never executed: case 675: | 0 | ||||||
| 420 | SHA224_Init((SHA256_CTX*)md_state.c); | - | ||||||
| 421 | md_final_raw = tls1_sha256_final_raw; | - | ||||||
| 422 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; | - | ||||||
| 423 | md_size = 224/8; | - | ||||||
| 424 | break; never executed: break; | 0 | ||||||
| 425 | case NID_sha256: executed 36 times by 1 test: case 672:Executed by:
| 36 | ||||||
| 426 | SHA256_Init((SHA256_CTX*)md_state.c); | - | ||||||
| 427 | md_final_raw = tls1_sha256_final_raw; | - | ||||||
| 428 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; | - | ||||||
| 429 | md_size = 32; | - | ||||||
| 430 | break; executed 36 times by 1 test: break;Executed by:
| 36 | ||||||
| 431 | case NID_sha384: executed 4 times by 1 test: case 673:Executed by:
| 4 | ||||||
| 432 | SHA384_Init((SHA512_CTX*)md_state.c); | - | ||||||
| 433 | md_final_raw = tls1_sha512_final_raw; | - | ||||||
| 434 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; | - | ||||||
| 435 | md_size = 384/8; | - | ||||||
| 436 | md_block_size = 128; | - | ||||||
| 437 | md_length_size = 16; | - | ||||||
| 438 | break; executed 4 times by 1 test: break;Executed by:
| 4 | ||||||
| 439 | case NID_sha512: never executed: case 674: | 0 | ||||||
| 440 | SHA512_Init((SHA512_CTX*)md_state.c); | - | ||||||
| 441 | md_final_raw = tls1_sha512_final_raw; | - | ||||||
| 442 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; | - | ||||||
| 443 | md_size = 64; | - | ||||||
| 444 | md_block_size = 128; | - | ||||||
| 445 | md_length_size = 16; | - | ||||||
| 446 | break; never executed: break; | 0 | ||||||
| 447 | default: never executed: default: | 0 | ||||||
| 448 | /* ssl3_cbc_record_digest_supported should have been | - | ||||||
| 449 | * called first to check that the hash function is | - | ||||||
| 450 | * supported. */ | - | ||||||
| 451 | OPENSSL_assert(0); | - | ||||||
| 452 | if (md_out_size)
| 0 | ||||||
| 453 | *md_out_size = 0; never executed: *md_out_size = 0; | 0 | ||||||
| 454 | return 0; never executed: return 0; | 0 | ||||||
| 455 | } | - | ||||||
| 456 | - | |||||||
| 457 | OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); | - | ||||||
| 458 | OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE); | - | ||||||
| 459 | OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); | - | ||||||
| 460 | - | |||||||
| 461 | header_length = 13; | - | ||||||
| 462 | - | |||||||
| 463 | /* variance_blocks is the number of blocks of the hash that we have to | - | ||||||
| 464 | * calculate in constant time because they could be altered by the | - | ||||||
| 465 | * padding value. | - | ||||||
| 466 | * | - | ||||||
| 467 | * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not | - | ||||||
| 468 | * required to be minimal. Therefore we say that the final six blocks | - | ||||||
| 469 | * can vary based on the padding. | - | ||||||
| 470 | * | - | ||||||
| 471 | * Later in the function, if the message is short and there obviously | - | ||||||
| 472 | * cannot be this many blocks then variance_blocks can be reduced. */ | - | ||||||
| 473 | variance_blocks = 6; | - | ||||||
| 474 | /* From now on we're dealing with the MAC, which conceptually has 13 | - | ||||||
| 475 | * bytes of `header' before the start of the data (TLS) */ | - | ||||||
| 476 | len = data_plus_mac_plus_padding_size + header_length; | - | ||||||
| 477 | /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including | - | ||||||
| 478 | * |header|, assuming that there's no padding. */ | - | ||||||
| 479 | max_mac_bytes = len - md_size - 1; | - | ||||||
| 480 | /* num_blocks is the maximum number of hash blocks. */ | - | ||||||
| 481 | num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size; | - | ||||||
| 482 | /* In order to calculate the MAC in constant time we have to handle | - | ||||||
| 483 | * the final blocks specially because the padding value could cause the | - | ||||||
| 484 | * end to appear somewhere in the final |variance_blocks| blocks and we | - | ||||||
| 485 | * can't leak where. However, |num_starting_blocks| worth of data can | - | ||||||
| 486 | * be hashed right away because no padding value can affect whether | - | ||||||
| 487 | * they are plaintext. */ | - | ||||||
| 488 | num_starting_blocks = 0; | - | ||||||
| 489 | /* k is the starting byte offset into the conceptual header||data where | - | ||||||
| 490 | * we start processing. */ | - | ||||||
| 491 | k = 0; | - | ||||||
| 492 | /* mac_end_offset is the index just past the end of the data to be | - | ||||||
| 493 | * MACed. */ | - | ||||||
| 494 | mac_end_offset = data_plus_mac_size + header_length - md_size; | - | ||||||
| 495 | /* c is the index of the 0x80 byte in the final hash block that | - | ||||||
| 496 | * contains application data. */ | - | ||||||
| 497 | c = mac_end_offset % md_block_size; | - | ||||||
| 498 | /* index_a is the hash block number that contains the 0x80 terminating | - | ||||||
| 499 | * value. */ | - | ||||||
| 500 | index_a = mac_end_offset / md_block_size; | - | ||||||
| 501 | /* index_b is the hash block number that contains the 64-bit hash | - | ||||||
| 502 | * length, in bits. */ | - | ||||||
| 503 | index_b = (mac_end_offset + md_length_size) / md_block_size; | - | ||||||
| 504 | /* bits is the hash-length in bits. It includes the additional hash | - | ||||||
| 505 | * block for the masked HMAC key. */ | - | ||||||
| 506 | - | |||||||
| 507 | if (num_blocks > variance_blocks) {
| 0-184 | ||||||
| 508 | num_starting_blocks = num_blocks - variance_blocks; | - | ||||||
| 509 | k = md_block_size*num_starting_blocks; | - | ||||||
| 510 | } never executed: end of block | 0 | ||||||
| 511 | - | |||||||
| 512 | bits = 8*mac_end_offset; | - | ||||||
| 513 | /* Compute the initial HMAC block. */ | - | ||||||
| 514 | bits += 8*md_block_size; | - | ||||||
| 515 | memset(hmac_pad, 0, md_block_size); | - | ||||||
| 516 | OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); | - | ||||||
| 517 | memcpy(hmac_pad, mac_secret, mac_secret_length); | - | ||||||
| 518 | for (i = 0; i < md_block_size; i++)
| 184-12032 | ||||||
| 519 | hmac_pad[i] ^= 0x36; executed 12032 times by 1 test: hmac_pad[i] ^= 0x36;Executed by:
| 12032 | ||||||
| 520 | - | |||||||
| 521 | md_transform(md_state.c, hmac_pad); | - | ||||||
| 522 | - | |||||||
| 523 | if (length_is_big_endian) {
| 0-184 | ||||||
| 524 | memset(length_bytes, 0, md_length_size - 4); | - | ||||||
| 525 | length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24); | - | ||||||
| 526 | length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16); | - | ||||||
| 527 | length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8); | - | ||||||
| 528 | length_bytes[md_length_size - 1] = (unsigned char)bits; | - | ||||||
| 529 | } else { executed 184 times by 1 test: end of blockExecuted by:
| 184 | ||||||
| 530 | memset(length_bytes, 0, md_length_size); | - | ||||||
| 531 | length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24); | - | ||||||
| 532 | length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16); | - | ||||||
| 533 | length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8); | - | ||||||
| 534 | length_bytes[md_length_size - 8] = (unsigned char)bits; | - | ||||||
| 535 | } never executed: end of block | 0 | ||||||
| 536 | - | |||||||
| 537 | if (k > 0) {
| 0-184 | ||||||
| 538 | /* k is a multiple of md_block_size. */ | - | ||||||
| 539 | memcpy(first_block, header, 13); | - | ||||||
| 540 | memcpy(first_block + 13, data, md_block_size - 13); | - | ||||||
| 541 | md_transform(md_state.c, first_block); | - | ||||||
| 542 | for (i = 1; i < k/md_block_size; i++)
| 0 | ||||||
| 543 | md_transform(md_state.c, data + md_block_size*i - 13); never executed: md_transform(md_state.c, data + md_block_size*i - 13); | 0 | ||||||
| 544 | } never executed: end of block | 0 | ||||||
| 545 | - | |||||||
| 546 | memset(mac_out, 0, sizeof(mac_out)); | - | ||||||
| 547 | - | |||||||
| 548 | /* We now process the final hash blocks. For each block, we construct | - | ||||||
| 549 | * it in constant time. If the |i==index_a| then we'll include the 0x80 | - | ||||||
| 550 | * bytes and zero pad etc. For each block we selectively copy it, in | - | ||||||
| 551 | * constant time, to |mac_out|. */ | - | ||||||
| 552 | for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks; i++) {
| 184-1288 | ||||||
| 553 | unsigned char block[MAX_HASH_BLOCK_SIZE]; | - | ||||||
| 554 | unsigned char is_block_a = constant_time_eq_8(i, index_a); | - | ||||||
| 555 | unsigned char is_block_b = constant_time_eq_8(i, index_b); | - | ||||||
| 556 | for (j = 0; j < md_block_size; j++) {
| 1288-84224 | ||||||
| 557 | unsigned char b = 0, is_past_c, is_past_cp1; | - | ||||||
| 558 | if (k < header_length)
| 2392-81832 | ||||||
| 559 | b = header[k]; executed 2392 times by 1 test: b = header[k];Executed by:
| 2392 | ||||||
| 560 | else if (k < data_plus_mac_plus_padding_size + header_length)
| 26704-55128 | ||||||
| 561 | b = data[k - header_length]; executed 26704 times by 1 test: b = data[k - header_length];Executed by:
| 26704 | ||||||
| 562 | k++; | - | ||||||
| 563 | - | |||||||
| 564 | is_past_c = is_block_a & constant_time_ge(j, c); | - | ||||||
| 565 | is_past_cp1 = is_block_a & constant_time_ge(j, c + 1); | - | ||||||
| 566 | /* If this is the block containing the end of the | - | ||||||
| 567 | * application data, and we are at the offset for the | - | ||||||
| 568 | * 0x80 value, then overwrite b with 0x80. */ | - | ||||||
| 569 | b = (b&~is_past_c) | (0x80&is_past_c); | - | ||||||
| 570 | /* If this is the block containing the end of the | - | ||||||
| 571 | * application data and we're past the 0x80 value then | - | ||||||
| 572 | * just write zero. */ | - | ||||||
| 573 | b = b&~is_past_cp1; | - | ||||||
| 574 | /* If this is index_b (the final block), but not | - | ||||||
| 575 | * index_a (the end of the data), then the 64-bit | - | ||||||
| 576 | * length didn't fit into index_a and we're having to | - | ||||||
| 577 | * add an extra block of zeros. */ | - | ||||||
| 578 | b &= ~is_block_b | is_block_a; | - | ||||||
| 579 | - | |||||||
| 580 | /* The final bytes of one of the blocks contains the | - | ||||||
| 581 | * length. */ | - | ||||||
| 582 | if (j >= md_block_size - md_length_size) {
| 10528-73696 | ||||||
| 583 | /* If this is index_b, write a length byte. */ | - | ||||||
| 584 | b = (b&~is_block_b) | (is_block_b&length_bytes[j - (md_block_size - md_length_size)]); | - | ||||||
| 585 | } executed 10528 times by 1 test: end of blockExecuted by:
| 10528 | ||||||
| 586 | block[j] = b; | - | ||||||
| 587 | } executed 84224 times by 1 test: end of blockExecuted by:
| 84224 | ||||||
| 588 | - | |||||||
| 589 | md_transform(md_state.c, block); | - | ||||||
| 590 | md_final_raw(md_state.c, block); | - | ||||||
| 591 | /* If this is index_b, copy the hash value to |mac_out|. */ | - | ||||||
| 592 | for (j = 0; j < md_size; j++)
| 1288-29568 | ||||||
| 593 | mac_out[j] |= block[j]&is_block_b; executed 29568 times by 1 test: mac_out[j] |= block[j]&is_block_b;Executed by:
| 29568 | ||||||
| 594 | } executed 1288 times by 1 test: end of blockExecuted by:
| 1288 | ||||||
| 595 | - | |||||||
| 596 | EVP_MD_CTX_init(&md_ctx); | - | ||||||
| 597 | if (!EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */)) {
| 0-184 | ||||||
| 598 | EVP_MD_CTX_cleanup(&md_ctx); | - | ||||||
| 599 | return 0; never executed: return 0; | 0 | ||||||
| 600 | } | - | ||||||
| 601 | - | |||||||
| 602 | /* Complete the HMAC in the standard manner. */ | - | ||||||
| 603 | for (i = 0; i < md_block_size; i++)
| 184-12032 | ||||||
| 604 | hmac_pad[i] ^= 0x6a; executed 12032 times by 1 test: hmac_pad[i] ^= 0x6a;Executed by:
| 12032 | ||||||
| 605 | - | |||||||
| 606 | EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); | - | ||||||
| 607 | EVP_DigestUpdate(&md_ctx, mac_out, md_size); | - | ||||||
| 608 | - | |||||||
| 609 | EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); | - | ||||||
| 610 | if (md_out_size)
| 0-184 | ||||||
| 611 | *md_out_size = md_out_size_u; executed 184 times by 1 test: *md_out_size = md_out_size_u;Executed by:
| 184 | ||||||
| 612 | EVP_MD_CTX_cleanup(&md_ctx); | - | ||||||
| 613 | - | |||||||
| 614 | return 1; executed 184 times by 1 test: return 1;Executed by:
| 184 | ||||||
| 615 | } | - | ||||||
| Source code | Switch to Preprocessed file |